diff options
| author | GitLab Bot <gitlab-bot@gitlab.com> | 2022-09-28 22:00:24 +0000 |
|---|---|---|
| committer | GitLab Bot <gitlab-bot@gitlab.com> | 2022-09-28 22:00:32 +0000 |
| commit | 36c8a31d573bdd2edd4c87be63eb8dde20a79761 (patch) | |
| tree | 066a4e64b1efb9c9dabbf3c2e097d32a82656ef8 /spec | |
| parent | cc201d1e1be2c8f4de2e2265c2b83bd925f8a260 (diff) | |
| download | gitlab-ce-36c8a31d573bdd2edd4c87be63eb8dde20a79761.tar.gz | |
Add latest changes from gitlab-org/security/gitlab@15-4-stable-ee
Diffstat (limited to 'spec')
| -rw-r--r-- | spec/controllers/boards/issues_controller_spec.rb | 20 | ||||
| -rw-r--r-- | spec/services/issues/create_service_spec.rb | 13 | ||||
| -rw-r--r-- | spec/services/issues/update_service_spec.rb | 17 |
3 files changed, 48 insertions, 2 deletions
diff --git a/spec/controllers/boards/issues_controller_spec.rb b/spec/controllers/boards/issues_controller_spec.rb index 1fd249eba69..3e1cdfccc61 100644 --- a/spec/controllers/boards/issues_controller_spec.rb +++ b/spec/controllers/boards/issues_controller_spec.rb @@ -427,6 +427,22 @@ RSpec.describe Boards::IssuesController do end describe 'POST create' do + context 'when trying to create issue on an unauthorized project' do + let(:unauthorized_project) { create(:project, :private) } + let(:issue_params) { { project_id: unauthorized_project.id } } + + it 'creates the issue on the board\'s project' do + expect do + create_issue user: user, board: board, list: list1, title: 'New issue', additional_issue_params: issue_params + end.to change(Issue, :count).by(1) + + created_issue = Issue.last + + expect(created_issue.project).to eq(project) + expect(unauthorized_project.reload.issues.count).to eq(0) + end + end + context 'with valid params' do before do create_issue user: user, board: board, list: list1, title: 'New issue' @@ -500,13 +516,13 @@ RSpec.describe Boards::IssuesController do end end - def create_issue(user:, board:, list:, title:) + def create_issue(user:, board:, list:, title:, additional_issue_params: {}) sign_in(user) post :create, params: { board_id: board.to_param, list_id: list.to_param, - issue: { title: title, project_id: project.id } + issue: { title: title, project_id: project.id }.merge(additional_issue_params) }, format: :json end diff --git a/spec/services/issues/create_service_spec.rb b/spec/services/issues/create_service_spec.rb index 4a84862b9d5..3d52dc07c4f 100644 --- a/spec/services/issues/create_service_spec.rb +++ b/spec/services/issues/create_service_spec.rb @@ -47,6 +47,19 @@ RSpec.describe Issues::CreateService do due_date: Date.tomorrow } end + context 'when an unauthorized project_id is provided' do + let(:unauthorized_project) { create(:project) } + + before do + opts[:project_id] = unauthorized_project.id + end + + it 'ignores the project_id param and creates issue in the given project' do + expect(issue.project).to eq(project) + expect(unauthorized_project.reload.issues.count).to eq(0) + end + end + it 'works if base work item types were not created yet' do WorkItems::Type.delete_all diff --git a/spec/services/issues/update_service_spec.rb b/spec/services/issues/update_service_spec.rb index 8a2e9ed74f7..634a4206d48 100644 --- a/spec/services/issues/update_service_spec.rb +++ b/spec/services/issues/update_service_spec.rb @@ -69,6 +69,23 @@ RSpec.describe Issues::UpdateService, :mailer do } end + context 'when an unauthorized project_id is provided' do + let(:unauthorized_project) { create(:project) } + + before do + opts[:project_id] = unauthorized_project.id + end + + it 'ignores the project_id param and does not update the issue\'s project' do + expect do + update_issue(opts) + unauthorized_project.reload + end.to not_change { unauthorized_project.issues.count } + + expect(issue.project).to eq(project) + end + end + it 'updates the issue with the given params' do expect(TodosDestroyer::ConfidentialIssueWorker).not_to receive(:perform_in) |